Bug 1131582

Summary: [GSS] (6.3.x) PickletLink IdP Filter eating cookies added to response by other filters
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Peter Skopek <pskopek>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Kotek <okotek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: anmiller, bbaranow, bmaxwell, istudens, jawilson, myarboro, okotek, pskopek
Target Milestone: CR2   
Target Release: EAP 6.3.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1131612 (view as bug list) Environment:
Last Closed: 2019-08-19 12:41:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1131612    
Bug Blocks: 1123427, 1132166    

Description Derek Horton 2014-08-19 15:27:51 UTC 
Description of problem:

PickletLink IdP Filter eating cookies added to response by other filters

Steps to Reproduce:
1. create a filter that adds a cookie to the httpServletResponse (response.addCookie(...))
2. ensure that you are using IDPfilter

Regardless of which is mapped first (cookie filter or idpFilter), the cookies you add to the response will not be returned to the browser. Simply commenting out the IdPFilter mapping will allow the cookies to be properly returned to the browser.

This behavior appears to happen without regard to the presence of a SAML assertion in the incoming request (ie. it doesn't matter if you directly access the IdP or are redirected there from a trusted SP).
Comment 1 Derek Horton 2014-08-19 17:16:15 UTC 
Upstream PR:
https://github.com/picketlink/picketlink/pull/372
Comment 4 JBoss JIRA Server 2014-08-25 15:55:02 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-529 to Resolved
Comment 5 Ondrej Kotek 2014-10-16 08:28:33 UTC 
The fix does not work for me. For JBoss EAP 6.3.2.CR1:
  * a test filter is called twice (unlike JBoss EAP 6.3.0)
  * cookies created in the filter are not returned to the browser for base URI (like JBoss EAP 6.3.0)

See BZ 1133099. Backport of PLINK-558 helped. There is manual reproducer available.

BZ 1123427 (Upgrade PicketLink from 2.5.3.SP10-redhat-1 to 2.5.3.SP11-x) is verified but included commits are in wrong order. PLINK-558 commit is the important one and should be placed as the last one.
Comment 6 Ondrej Kotek 2014-10-16 08:37:10 UTC 
To be precise: commits in PicketLink Bindings 2.5.3.SP11-redhat-1.
Comment 7 Ivo Studensky 2014-10-20 11:46:22 UTC 
Fixed in 2.5.3.SP12.
Comment 8 Ondrej Kotek 2014-10-24 14:12:34 UTC 
Verified for JBoss EAP 6.3.2.CR2